So last week I wrote an article for SearchSoftwareQuality on
Quick Attacks for Web Security.
One of the techniques I mention was Cross-Site Scripting, or xSS. (The x stands for "cross", ya dig?)
Put simply, with xSS, you type in and save some code, generally javascript, into an input box - say, your 'first name', and then, when someone else views your profile (or page, or blog post, or comment, etc), that javascript runs.
Once the javascript is running, the bad guys essentially have control of your browser. They can use it to do something trivial, like display an ad, pop up a gambling website, or a less reputable site ... or maybe pop up a website that loads a trojan horse or virus program.
In the article I suggest testing for xSS by using an extremely simple, short piece of code I learned from my friend
David Christiansen. Here's the code:
<script>alert('f')</script>
Now if the browser loads the tags as HTML, it will interpret the code as an order to pop up a message box with the single letter 'f' on it. You also won't see the tags, as they'll be interpreted as code.
So they put my article up on the site a little early without notifying me -- this is pretty standard practice and no big deal.
But then I get this Instant Message from
Ajay Balamurugadas ...
You guessed it. When he viewed the article, an 'f' popped up and the code to run the xSS attack did not appear! Oh, the Irony!
Yes, dear, these attacks really do work.
Now, don't go worried that SearchSoftwareQuality is insecure; it is secure. The assistant editor who published the article probably pasted into HTML mode instead of Visual mode, so the script tags were interpreted as HTML.
The thing is, that editor was a privileged user. In order to even get the position to do the paste, he had to login. The system
trusted him, and he made an honest mistake.
If my code has been:
<
SCRIPT src="http://xndev.com/standards.js"></
SCRIPT>
I doubt he would have pasted it. Even if he had, there would be a paper trail right back to me; it would be foolish for me to give out something like that.
Which leads me to two other, more common attacks:
Social Engineering - tricking someone to doing something they have rights to but you do not
Escalation of Privilege - finding ways to do things beyond your (implied) privilege set
My article on web attacks was relatively technical; these other kinds of attacks are more social in nature.
If you'd be interested in seeing a future article in testing (and improving) web security through
social efforts, just let me know. That article practically writes itself ...
For what it's worth, standards.js generates the global navigation for my personal website.